What is Privilege Escalation?

unsplash-image-9SoCnyQmkzI.jpg

What is the big deal about privilege escalation? Why is it a crucial step in the hacking process? Once attaining an initial foothold (access) to an environment one of the key steps followed by most hackers is to elevate their current privileges and either become an administrator or a superuser. This expands the attack vectors the attacker can deploy and also helps in creating persistence in the environment. The process and steps taken to gain higher privileges and become a superuser are known as ‘Privileges Escalation’. 

There are various techniques to elevate privileges in an environment. Typically, the technique used for privilege escalation depends on the operating system and the architecture. A few of the common techniques used include:

  1. Abuse of Elevation Control Mechanism: Adversaries may exploit the operating system mechanism used to control and assign privileges. Most modern operating systems use a built-in control mechanism that overlooks the permissions and defines the actions performed by a user. Exploiting this control mechanism can give an attacker varied levels of privileges.

  2. Access Token Tampering: Each running process in Windows has an access token associated with it. The access tokens determine the ownership of the process. Attackers can impersonate or modify these access tokens to perform tasks as a different user.

  3. Boot Autostart Execution: Attackers can modify / re-configure system settings to execute programs and processes on boot or logon. Most operating systems have designated folders that contain the executable program to be run on logon.

  4. Create/ Modify system Process: Attackers in many environments can modify or create system-level processes. On Linux and Windows-based systems, these processes are known as services. Modifying a running service or creating a new service to perform certain tasks not only helps in elevating privileges but also aids in setting persistence.

  5. Domain Policy Modification: In a domain environment it is common for adversaries to modify configuration settings of a domain to evade defenses as well as perform privilege escalation. By compromising and elevating privileges at the domain level, an attacker can manage how computer resources act, interact with the network and with each other.

  6. Escape to Host: Each operating system has a container set up for each user. The container defines the scope of a user in an environment. It is often possible to break out of this container and gain access to the host at the core.

  7. Event-Triggered Execution: Most operating systems have system mechanisms that trigger execution based on specific events. Attackers can take advantage of this and trigger certain events to perform to run scripts or execute a payload.

  8. Software Exploitation: Adversaries may attack third-party software installed in the system to gain higher privileges. A software vulnerability in a third-party application that has been trusted in the environment can be taken advantage of to deploy and execute payloads.

  9. Hijack Execution Flow: It is also possible for an attacker to deploy and execute their payloads by hijacking the way the operating system runs programs. Hijacking the execution flow can also be used to evade asset defenses, such as restrictions on execution and application control.

  10. Process Injection: This method executes arbitrary code in the address space of a separate live process. Injecting code can facilitate in evading process-based defenses and help in privilege escalation. This method also helps against end-point detection tools because the parent process is marked as a legitimate action and hence the action performed by this process is inherently deemed legitimate by the third-party detection tools.

  11. Scheduled Tasks/Jobs: Windows has scheduled tasks, while Linux has scheduled jobs in-build in the operating system architecture. These tasks or jobs are set to run specific processes and execute programs at a specific time. Such tasks can be set by malicious actors to execute scripts and payload which in turn help executing the payload and create persistence.

  12. Valid Accounts: It is possible for an attacker to not deploy any payloads and simply log in as a legitimate user with the right credentials. These credentials can either be found while enumerating the internal system or through external breaches published on the dark web.

Tools

Various tools can be used to perform privilege escalation. Some of my favorite tools which I use most often are: 

Peas: WinPeas and LinPeas have helped me numerous times in the past by scrapping admin or root password. Peas Github

Mimikatz: This tool has extracted plain text passwords, hashes, pin codes, and Kerberos tickets for me in the past. I recommend this tool. Mimikatz Github 

BeRoot: BeRoot is a Linux program that identifies system misconfiguration and provides a path to privilege escalation. BeRoot Github

JAWS: PowerShell plays a vital role in the windows environment; Just Another Windows Script or JAWS is a Powershell script used to determine the privilege escalation vectors in windows. JAWS Github

PowerSploit: PowerSploit is a collection Powershell framework that aids in performing a variety of tasks including privilege escalation. PowerSploit Github

Kartavya Trivedi

Kartavya is a Penetration Tester and Red-Team member at Cira Infotech, Inc. Kartavya has a proven track record of penetration testing and vulnerability assessment with various public sector and private sector clients. He has designed and developed a one-of-a-kind penetration testing application to scan, enumerate, and exploit networks, web apps, and cloud services. Kartavya has also presented at the Georgia Annual Academic Cybersecurity Conference and Georgia STEM symposium on topics pertaining to offensive security. He is currently a Top 700 Hacker in the US on the prominent hacking platform HackTheBox.

https://www.linkedin.com/in/kartavyatrivedi/
Previous
Previous

What is a Buffer OverFlow Attack?

Next
Next

Why is Threat Modeling important?